Welcome to WebmasterWorld Guest from

Forum Moderators: phranque

Message Too Old, No Replies

Anyone know of a script: exclude IP ranges but allow certain IPs



12:51 pm on Dec 20, 2012 (gmt 0)

10+ Year Member

Not really sure which section this belongs in, not Apache, since this is firewall related, not search engine spiders since I already know what I want to block.

Anyway, here's the problem:

Like many others, my servers get hit on daily basis with a huge number of abusive requests from Amazon AWS ranges. I want to block these at the firewall level, and I have the IP ranges to do so. The issue is I use a couple of advertising services such as VigLink and GumGum which come through Amazon IPs. These have a few dozen IPs.

So, I'm looking for a tool or script which I can enter the IP ranges I want to block, but it rewrites them into smaller pieces so they are written "around" the IPs I want to allow in. I've searched Google to no available, and writing these by hand with a single netmask tool is a daunting task.

Anyone know of such a tool/script?


11:20 pm on Dec 20, 2012 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month

I've got a bit of javascript that works in the opposite direction: Feed it a string of IP addresses (in numerical order, because that's always been the form I get things in) and it collapses them into the biggest possible blocks, leaving holes for the ones I left out. F'rinstance
...all the way through
but leaving out one /16 in the middle (I'll find out which in a moment, I just deleted at random) yields

... which tells me I left a hole for 38.35 ;)

Wasn't there another thread just a few days ago that asked a similar question?


11:35 pm on Dec 20, 2012 (gmt 0)

10+ Year Member

I have something similar, a Perl script which will collapse IPs and IP ranges into the smallest number of ranges.

I don't know if I explained it well enough for everyone (though I believe you understand :) ) so here's an example:

Have the range: for example.
I have 2 IPs in this range I need to let through. Feed the range into the program as well as the IPs to exclude. It should spit out:

Range 1
(my first excluded IP)
Range 2
(my second excluded IP)
Range 3

Obviously it would be more than 3 ranges, because I'm excluding single IPs instead of blocks which fit neatly into normal netmasks, but the above is the general idea.

I have them working pretty neatly in my Apache setup, but frankly I'm tired of it wasting resources even if its only to feed them 403 codes. I'd much rather have them eat NULL, lol.


5:11 am on Dec 21, 2012 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month

Does your firewall code use CIDR ranges, Regular Expressions, or direct numbers (like "192-223")? Can it do toggles, like "lock out everything matching A unless it also matches B"? Obviously when I answered I was thinking strictly in terms of CIDR ranges.

Featured Threads

Hot Threads This Week

Hot Threads This Month